The card I mostly use for online impulses purchases is from a semi paranoid bank that turns down non 3d secure transactions by default. Sometimes they call you for confirmation.
Needless to say, that means no impulse purchases from Stripe using merchants. And no buying coffees for anyone.
Guess it's cheaper for me in the long run...
So someone like BackerKit just didn't bother catering to EU customers.
Plus I saw a chapter about "reducing friction" in the Stripe docs. Via such honest practices as charging automatically after a free trial if the customer has a credit card on file? This has been discussed on HN recently wrt to i-forget-what-service.
I suppose not requiring the extra 3d secure step is also "reducing friction".
Not all merchants will opt-in to 3d Secure as they might see a greater loss in revenue due to the friction it creates versus the risk. They might be taking payments in a low risk sector and use other fraud checking factors, or it might not make sense for them - examples where you end up having to produce the same card in person anyway so "card not present" fraud doesn't factor in so much.
Some merchants don't opt-in as it would lose them millions of dollars of payments an hour due to the friction: Amazon for example.
I worked on the 3d Secure (and, formally, "Verified by Visa") integration at my previous job, and for a long time I was thinking I should write a blog post on what a complete mess of a protocol and implementation it [still] is. Haven't ever gotten around to that though.
Banks are banks :)
> so it's down to the merchant
... or down to the implementation team that may not even have mentioned it to the merchant if said merchant is in an area used to insecure credit card payments ...
Opting out is still customer hostile if you ask me.
That's debatable - I really dislike my own card issuer's implementation as they will ring me, rather than prompt for a OTP, which is a long process and not always convenient. Other card issuers have other implementations. That's one of the, er, issues with the protocol - a lack of consistency. There are many other problems with it.
I'm using this with a credit card, and that already has strong consumer protections if fraud should happen. I, as the consumer, do not get to opt-out of this poorly implemented protocol.
Merchants are sold the protocol with the argument that it reduces chargebacks, i.e. reduces their costs, not that it is good for their consumers. If I (or someone else) makes a payment with my card, and it passes the 3d Secure process, then the chargeback option is a liability that it taken by the issuing bank - and they shift that liability further by passing it on to the card holder: "This transaction when through 3d Secure, your charge back option for it is revoked".
That's hostile to the customer.
Like I said, I have a tonne of material for a blog post. I just need to be bothered to write it.
Related - I gave a talk a couple of weeks ago about banking interchange formats, which is related to all of this. The slides are here (top one) and the recording of the talk (which I will link) should appear soon: https://leejo.github.io/code/